Cash Value of Android Zero-Day Exploits Surpasses iOS

Cash Value of Android Zero-Day Exploits Surpasses iOS

Apple has long positioned itself as the more secure option to open platforms like Windows and Android, but that might no longer be the case. As previously unreported “zero-day” iOS exploits pile up, security researchers are seeing the cash value of such research fall. Zerodium, the largest purchaser of such flaws, has updated its bug bounty payments. Android exploits now command a maximum of $2.5 million, but iOS tops out at $2 million.

Last month, we reported on a series of iOS exploits uncovered by Google’s Project Zero. Google isn’t in the business of selling exploits, so it researched the scheme and reported it to Apple in a responsible manner. Google detected websites using multiple attack chains to steal data from almost all versions of iOS, and they were operating for at least two years.

Apple rolled out an update to iDevices that blocked those exploits, but you have to wonder how many more unreported attacks are floating around out there. The perpetrators of this hack weren’t even treating the exploits like a valuable commodity. They were hacking iPhone users indiscriminately when they could have been using targeted attacks against high-value targets. They might never have been caught going that route.

Apple talks up iPhone security, but Zerodium says it’s falling behind.
Apple talks up iPhone security, but Zerodium says it’s falling behind.

Zerodium buys exploits for big money so it can exclusively report the research and mitigation measures to its corporate and government clients. Zerodium founder and CEO Chaouki Bekrar says that the company still gets ample submissions for iOS exploits, mostly connected to Safari and iMessage. There are so many that the company has started turning down some offers from researchers. On the other hand, functional zero-click or one-click exploits for Android are increasingly rare, especially for versions 8.0 and later.

Given the state of the major operating systems, Zerodium decided it makes sense to assign a higher value to Android exploits. Zerodium doesn’t pay $2.5 million for just any Android hack, though. Researchers have to submit basic details of the hack first, and then wait on an offer from Zerodium. The $2.5 million top offer only applies to serious flaws in Android 8, 9, or 10. Apple’s lower $2 million maximum bounty is still nothing to sneeze at — serious exploits for desktop systems top out at $1 million. Since mobile platforms were built more recently, they have more security features integrated at a low level. That makes them harder to hack than desktop operating systems.

Continue reading

Google Uncovers iPhone Exploit That Can Steal Data Over Wi-Fi
Google Uncovers iPhone Exploit That Can Steal Data Over Wi-Fi

According to Ian Beer of Google's Project Zero security team, the flaw allowed him to steal photos from any iPhone just by pointing a Wi-Fi antenna at it.

Time to Unplug: WD My Book Live Hard Drives Hit With Data Deletion Exploit
Time to Unplug: WD My Book Live Hard Drives Hit With Data Deletion Exploit

My Book Live owners around the world are reporting their devices have been purged of all data, and Western Digital is advising that everyone disconnect their drives from the internet for now.

Console Hacker Reveals ‘Essentially Unpatchable’ PS4/PS5 Exploit
Console Hacker Reveals ‘Essentially Unpatchable’ PS4/PS5 Exploit

That might not be good news for Sony's security team, but gamers who want to run homebrew software on Sony's consoles could get their wish.

People Aren’t Patching for the BlueKeep Windows Exploit, and Even the NSA Is Worried
People Aren’t Patching for the BlueKeep Windows Exploit, and Even the NSA Is Worried

Now even the NSA is getting worried that the so-called BlueKeep flaw could result in a dangerous worm that spreads across the globe, wreaking havoc on unprotected computers.